Add access object

lcawl · lcawl · commit 090a395493ef · 2024-10-23T13:55:32.000-07:00
diff --git a/specification/security/_types/Access.ts b/specification/security/_types/Access.ts
@@ -0,0 +1,31 @@
+/*
+ * Licensed to Elasticsearch B.V. under one or more contributor
+ * license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright
+ * ownership. Elasticsearch B.V. licenses this file to you under
+ * the Apache License, Version 2.0 (the "License"); you may
+ * not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+import { RemoteIndicesPrivileges, ReplicationAccess } from './Privileges'
+
+export class Access {
+  /**
+   * A list of indices permission entries for cross-cluster replication.
+   */
+  replication?: ReplicationAccess[]
+  /**
+   * A list of indices permission entries for cross-cluster search.
+   */
+  search?: RemoteIndicesPrivileges[]
+}
diff --git a/specification/security/_types/Privileges.ts b/specification/security/_types/Privileges.ts
@@ -376,3 +376,10 @@ export class ApplicationGlobalUserPrivileges {
 export class ManageUserPrivileges {
   applications: string[]
 }
+
+export class ReplicationAccess {
+  /**
+   * A list of indices (or index name patterns) to which the permissions in this entry apply.
+   */
+   names: IndexName[]
+}
diff --git a/specification/security/create_cross_cluster_api_key/CreateCrossClusterApiKeyRequest.ts b/specification/security/create_cross_cluster_api_key/CreateCrossClusterApiKeyRequest.ts
@@ -18,8 +18,10 @@
  */
 
 import { RequestBase } from '@_types/Base'
+import { Dictionary } from '@spec_utils/Dictionary'
 import { Metadata, Name } from '@_types/common'
 import { Duration } from '@_types/Time'
+import { Access } from '@security/_types/Access'
 
 /**
  * Create a cross-cluster API key.
@@ -30,6 +32,8 @@ import { Duration } from '@_types/Time'
  * IMPORTANT: To authenticate this request you must use a credential that is not an API key. Even if you use an API key that has the required privilege, the API returns an error.
  *
  * Cross-cluster API keys are created by the Elasticsearch API key service, which is automatically enabled.
+ * 
+ * NOTE: Unlike REST API keys, a cross-cluster API key does not capture permissions of the authenticated user. The API key’s effective permission is exactly as specified with the `access` property.
  *
  * A successful request returns a JSON structure that contains the API key, its unique ID, and its name. If applicable, it also returns expiration information for the API key in milliseconds.
  *
@@ -44,6 +48,15 @@ import { Duration } from '@_types/Time'
  */
 export interface Request extends RequestBase {
   body: {
+    /**
+     * The access to be granted to this API key.
+     * The access is composed of permissions for cross-cluster search and cross-cluster replication.
+     * At least one of them must be specified.
+     *
+     * NOTE: No explicit privileges should be specified for either search or replication access.
+     * The creation process automatically converts the access specification to a role descriptor which has relevant privileges assigned accordingly.
+     */
+    access: Access
     /**
      * Expiration time for the API key.
      * By default, API keys never expire.
diff --git a/specification/security/update_cross_cluster_api_key/UpdateCrossClusterApiKeyRequest.ts b/specification/security/update_cross_cluster_api_key/UpdateCrossClusterApiKeyRequest.ts
@@ -20,6 +20,8 @@
 import { RequestBase } from '@_types/Base'
 import { Id, Metadata } from '@_types/common'
 import { Duration } from '@_types/Time'
+import { Access } from '@security/_types/Access'
+import { Dictionary } from '@spec_utils/Dictionary'
 
 /**
  * Update a cross-cluster API key.
@@ -37,6 +39,13 @@ export interface Request extends RequestBase {
     id: Id
   }
   body: {
+    /**
+     * The access to be granted to this API key.
+     * The access is composed of permissions for cross cluster search and cross cluster replication.
+     * At least one of them must be specified.
+     * When specified, the new access assignment fully replaces the previously assigned access.
+     */
+    access: Access
     /**
      * Expiration time for the API key.
      * By default, API keys never expire. This property can be omitted to leave the value unchanged.
